[PATCH 00/11] hornet: security, tooling and selftest fixes

Paul Moore paul at paul-moore.com
Fri May 29 20:56:17 UTC 2026 

On Thu, May 28, 2026 at 9:39 PM Paul Moore <paul at paul-moore.com> wrote:
> On Wed, May 27, 2026 at 11:09 PM Blaise Boscaccy
> <bboscaccy at linux.microsoft.com> wrote:
> >
> > Patch 1 closes a TOCTOU race in signature verification. Map
> > contents were hashed at the program-load hook and re-hashed at
> > the program-run hook, leaving a window in which a sufficiently
> > privileged attacker could mutate a map between the two checks
> > and run a program whose maps no longer matched what was signed.
> > The fix records the verified hashes on the prog at load time
> > and, in security_bpf_prog, checks them against
> > prog->aux->used_maps — the same map set the verifier and
> > runtime resolve against — so the verified and executed sets
> > cannot diverge. The per-map index in the signature format is no
> > longer needed and is dropped; the check becomes a subset test.
> > Reported by Eric Biggers.
> >
> > Patches 2-3 fix two counting bugs in the same area: duplicate maps
> > could satisfy the required hash count, and an off-by-one capped
> > accepted maps at MAX_USED_MAPS.
> >
> > Patches 4-11 are in response to sashiko feedback found here:
> > https://sashiko.dev/#/patchset/20260507191416.2984054-1-bboscaccy%40linux.microsoft.com
> >
> > They provide some correctness fixes in the hornet tooling along with
> > making the selftest behave under cross-compilation and skip cleanly
> > when signing keys / bpftool / vmlinux BTF are unavailable, instead of
> > breaking the global selftest build.
> >
> > Blaise Boscaccy (11):
> >   hornet: fix TOCTOU in signed program verification
> >   hornet: invert map set check logic
> >   hornet: fix off-by-one bug in max used maps check
> >   selftests: hornet: handle cross compilation and test skipping
> >   hornet: gen_sig: fix off-by-one check for used maps
> >   hornet: gen_sig: fix error string allocations
> >   hornet: gen_sig: check for bad allocations
> >   hornet: gen_sig: fix missing command line switches
> >   hornet: scripts: set a non-zero error code for usage
> >   hornet: scripts: harden scripts to handle trailing whitespace
> >   hornet: scripts: Improve argument handling and error messages
> >
> >  Documentation/admin-guide/LSM/Hornet.rst |  39 +++---
> >  scripts/hornet/extract-insn.sh           |  24 ++--
> >  scripts/hornet/extract-map.sh            |  25 ++--
> >  scripts/hornet/extract-skel.sh           |  35 ++++--
> >  scripts/hornet/gen_sig.c                 |  61 ++++++----
> >  scripts/hornet/write-sig.sh              |  10 +-
> >  security/hornet/hornet.asn1              |   1 -
> >  security/hornet/hornet_lsm.c             | 148 ++++-------------------
> >  tools/testing/selftests/hornet/Makefile  | 114 +++++++++++++----
> >  9 files changed, 235 insertions(+), 222 deletions(-)
>
> Aside from a possible (?) typo in patch 5/11, this patchset looks okay
> to me so I'm going to merge it to lsm/dev-staging now with the idea of
> moving it to lsm/dev once Blaise provides some clarity on patch-5.

With the typo in 5/11 sorted out, I've gone ahead and moved these
fixes over to lsm/dev.  I also took the liberty of adding the
associated 'Fixes:' tags, not critical in this case, but nice to have.

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list